Is Gmail's Confidential Mode HIPAA Compliant?
Let's take a closer look at Gmail's confidential mode and compare it to tried and true secure cloud fax service alternatives.
Gmail's confidential mode is not HIPAA compliant on its own. Google added this Information Rights Management (IRM) feature in 2019, and it stops a recipient from forwarding, copying, downloading, or printing a message; senders can also set an expiration date, revoke access after sending, or require text-message verification before the recipient can open it. Useful as those controls are, they don’t meet HIPAA’s two core requirements for protected health information (PHI): guaranteed encryption of the message both at rest and in transit, and a signed business associate agreement (BAA) with Google covering that use. Confidential mode offers neither by default, and it has no way to stop a recipient from screenshotting or photographing PHI and forwarding that instead. For healthcare providers, insurers, and other covered entities, that gap makes confidential mode too risky to rely on for PHI unless it’s paired with a genuinely HIPAA-compliant channel, such as secure cloud fax.
The question comes up often because Gmail is the most widely-used e-mail platform on the planet, accounting for over one-third of all e-mail opens globally — so when Google rolled confidential mode out to every account, healthcare organizations immediately asked whether it was safe to use for PHI. Let’s take a closer look at what confidential mode actually does, and how it compares with a tried-and-true HIPAA-compliant fax alternative.
What is Gmail Confidential Mode?
Confidential mode adds a technology called “Information Rights Management” (IRM) to Google’s popular e-mail product. In a nutshell, confidential mode makes it impossible for a user to forward, copy, download, or print messages. This dramatically reduces the risk that your e-mail recipient might accidentally forward the confidential information you send to an unauthorized third party.
Confidential mode also allows senders to add expiration dates to a message, revoke access to a message after it is sent, or require the reader to provide text message authentication before viewing an e-mail. This latter feature adds a powerful new layer of protection; even if your recipient’s e-mail is accessed by an unauthorized party, that person will be unable to see the information contained in your message.
If a recipient is determined to share information, there are still ways to accomplish that. Confidential mode has no way to prevent a user from taking screenshots or photos, then forwarding those to an unauthorized party.
Is Gmail Confidential Mode HIPAA Compliant?
Is Gmail’s confidential mode enough to protect you from falling afoul of HIPAA, though? As most covered entities know, HIPAA violations are a very serious matter. Financial penalties can be quite high, and reputational damage can also be severe. In 2020, a large health insurance carrier in the Pacific Northwest agreed to pay $6.85 million to settle potential HIPAA violations related to a cybersecurity breach. Although most penalties for HIPAA violations are not as high as that, – they nevertheless pose a serious financial risk to covered entities.
Consequently, the question of HIPAA compliance and Gmail confidential mode is critically important. Providers, insurers, and business associates must therefore perform careful due diligence to determine whether Gmail’s new confidential mode really meets HIPAA compliance standards.
In order for any technology to be HIPAA compliant for sending and receiving electronic protected health information (ePHI), information must be secured at all times, whether it is “in transit” or “at rest”. All messages must be encrypted. As a sender, you can’t guarantee encryption of your Gmail messages at the receiving end of the transmission.
Furthermore, you would need to have a signed business associate agreement (BAA) with Google. This is true of any third party who might potentially have access to PHI or ePHI that has been entrusted to you.
Google's confidential mode, while a great step toward a stronger data privacy system, is not strictly HIPAA compliant. It should not be viewed as a replacement for other safeguards that your organization may already be implementing to ensure that organization data remains safe.
How to Ensure HIPAA Compliant Communications, Every Time
The inherent gaps in e-mail security are precisely why most medical offices still trust fax technology to exchange information with other providers, as well as with insurance carriers, business associates, and other covered entities.
Fax is proven to be safe from unauthorized access, provided that covered entities adhere to best practices such as using an appropriate cover page with a printed HIPAA disclaimer. If a fax is inadvertently made available to an unauthorized person in the receiving office, this will protect you from liability. A good HIPAA Compliant cloud fax provider will make it easy to attach a cover page as part of their standard workflow for outgoing faxes.
For incoming faxes, many medical offices try to make do with a dedicated phone connected to a multifunction fax/printer/scanner kept in a secure location. Even that poses some risks, though. If an incoming fax is not retrieved right away, or if printed documents are disposed of improperly, a HIPAA violation could occur. It also results in a lot of trips back and forth to that dedicated fax machine, wasting time and money.
The safest option by far is to go with a cloud-based HIPAA Compliant fax. A secure cloud fax service combines the proven rock-solid security of fax technology with ultimate flexibility. Users can send and receive faxes from their desktop computer, or potentially even from a mobile phone. As noted previously, the best HIPAA Compliant fax services also automate the process of adding a cover page with a HIPAA disclaimer. Secure cloud fax also maintains a record of every document you send or receive, giving you a clear audit trail that’s safe from unauthorized access.
Secure cloud fax continues to be a reliable solution for covered entities of all sizes. Barry Clark, President and Founder of WestFax comments:
“Over the years we’ve seen various seemingly secure document transport platforms, but our customers appreciate the tried-and-true method of HIPAA Compliant Secure Cloud Fax to ensure HIPAA compliance”
Look for a HIPAA Compliant fax service that offers a BAA for fax. A business associate agreement (BAA) protects you in the event that a third party whom you entrust with PHI fails to safeguard it properly. By signing a BAA for fax, your cloud service provider is assuming responsibility for protecting your patients’ confidential information in accordance with HIPAA.
Ask potential fax vendors about their own security. WestFax, for example, maintains its servers in access-restricted data centers that offer 24/7 security, video surveillance, and biometric access control. Not all cloud fax providers offer that. WestFax’s servers are monitored and protected 24x7 by a dedicated security team.
Are you ready to make the switch to HIPAA-Compliant Secure Cloud Fax Service?
Contact WestFax today to discuss your needs.
